Is the random library used by the standard client in any way deterministic, or can one count on it being truly random?

For example, often random libraries are initialized with seed value of the current time, like in C++:

srand(time(NULL));

But if someone was to iterate over reasonable ranges of time when a client started, eventually one would use the same seed value, and thus be able to generate the same addresses.

Is the random library used by the standard client vulnerable to such an attack, or does it also use some other variables that are unpredictable (say, temperature of the processor down to such decimal places it becomes an unpredictable noise)?

It uses a cryptographically-secure random number generator, specifically the one included in OpenSSL. Generating a key from a source with less entropy than the equivalent bit strength of the key would be an inexcusable rookie coder error. It wouldn't survive in any popular open source program for more than a few days.

We would all like that to be true, but unfortunately it's not. Debian's broken patch to OpenSSL survived over a year and a half. It was caused by a change that reduced the entropy used. It's certainly easier to root out vulnerabilities in open source software. But that doesn't mean it always happens right away.
–
Matthew FlaschenFeb 1 '12 at 0:21

1

That's a much different kind of error than the one contemplated in this question. But you're right that, unfortunately as it happened, the effect was the same.
–
David SchwartzFeb 1 '12 at 1:03